609 years and 11 months. That’s how long the password generator website Random-ize tells me it would take hackers to brute force their way through my most important password. This timescale is reassuring - but those of us who work in technology are likely to have been on top of password complexity for many years. Incredibly, many jaw-droppingly woeful passwords are still popular, for example: ‘qwerty’, ‘123456’ and indeed ‘password’. According to SplashData’s most recent annual top 100 chart of the World’s Worst Passwords, the majority of the top ten can be cracked in less than one second.

Like them or loathe them, passwords are an essential factor for so many of the tasks that shape our daily lives: from checking our bank balances to signing in to a Netflix account or unlocking our mobile phones. According to a 2017 study by Digital Guardian, 70% of people have more than ten password-protected accounts online, and 30% have “too many to count.” However, we are repeatedly advised that we should have different passwords for every login. Hands up if you clicked the ‘forgotten password’ option at least once in the last month. With my current tally of 276 passwords (and rising), it is safe to say that recently adopting a password manager has been a life-changing experience for me.

We use passwords so often in our lives that they present challenges. If a password is easy to remember, perhaps the name of a pet, the street we grew up on or the name of our favorite film star, then it’s probably not very secure. If it’s very complex, it will be a nightmare to remember. According to haveibeenpwned.com, over 5 billion online accounts have been hacked, mine included. Hence the password manager.

Dog in disguise. Photo by Braydon Anderson on Unsplash.Photo by Braydon Anderson on Unsplash

Biometric authentication, i.e., using metrics related to human characteristics, have had mixed results. On the one hand, the iPhone 5S’s Touch ID solution with a fingerprint scanner was met with near-universal acclaim when launched in September 2013. On the other hand, when Alibaba’s “blink test” was introduced to its facial recognition system, it could easily be fooled by a video.

Many financial institutions, including Citibank and Bank of America, have now largely scrapped passwords for their mobile apps, favoring biometric authentication methods such as fingerprint and voice recognition systems, in the hope of reducing the risk of cybersecurity breaches. Moreover, if a picture is worth a thousand words, London start-up PixelPin has developed a new approach to online authentication using personal photos to replace passwords. The user chooses an image that means something to them: a family photo or a holiday snap; then they choose four specific points on that image to touch in sequence.

Apple now allows users to unlock their devices or make payments using Face ID. It even works in challenging conditions such as in the dark, or if the owner is wearing sunglasses, and uses machine learning to detect changes in a face over time.

However, in spite of our many efforts to completely replace passwords, they still have a place in how we manage our information and identify ourselves online. While additional biometric authentication solutions greatly benefit handset protection, what about the multiple online accounts we all live with? In "The Persistence of Passwords," The Institute of Electrical and Electronics Engineers’ Cormac Herley and Paul van Oorschot argue against the "spectacularly incorrect assumption" that passwords are dead, and conclude that "no other single technology matches their combination of cost, immediacy and convenience”. Staring at my 276 passwords (and rising) I would tend to agree – distributing the risk across this number of points of failure seems like a practical way to contain the impact of any inevitable hacks. But passwords by themselves are not enough.

One reliable way of securing your accounts is through two-factor authentication or 2FA for short. This works when a unique code is sent to the user for a second layer or factor of authorization. Even if a password were to be compromised, the account could not be accessed without the input of this temporary code sent over a separate, predefined method, such as SMS, Google Authenticator or Authy. Many major tech providers actively encourage their customers to use 2FA, while some companies such as MailChimp reward customers with a discount for applying this additional layer of security. The first piece of advice offered to those afflicted by a hack by haveibeenpwned.com is to enable 2FA.

Shutterstock

Twitter’s Brenda O'Connell stated at Mobile Sunday 2016: “Email is dead. The core identifier is your mobile number, and 2FA is the new password.” While I suspect she is right in the long term, the reality will rest somewhere in between all of these methods for the foreseeable future.

I have pursued my twin passions of music and mobile since the 1990s. My music career started with a band, a record deal, a top 30 hit, tours with Depeche Mode & U2, and a solo club hit. As mobile tech became the new rock'n'roll, I pivoted to working in a mobile music st...